FREE SE Monitoring & Incident Response Questions and Answers
Which of the following steps is typically the first in an incident response process?
The Identification phase is the first step in the incident response process, where security engineers detect and verify that a security incident has occurred. Once identified, other phases such as containment, eradication, and recovery follow.
Which action is part of the "containment" phase in incident response?
The containment phase focuses on isolating affected systems to prevent further damage. Disconnecting the system from the network limits the attacker's ability to spread or cause more harm. Analyzing logs is part of the identification phase, reporting is part of communication, and restoring systems occurs during recovery.
Which of the following is an example of a post-incident activity?
A post-incident review (or "lessons learned") occurs after an incident has been resolved. It is designed to analyze what happened, why it happened, and how similar incidents can be prevented in the future. Eradicating malware and updating firewall rules happen during the incident, and monitoring ongoing attacks is part of incident detection.
Which of the following is the primary function of a Security Information and Event Management (SIEM) system?
A SIEM system aggregates and analyzes logs from different sources such as firewalls, IDS/IPS, and operating systems to detect potential security threats and anomalous behavior. It helps with real-time monitoring, incident detection, and response. SIEMs do not encrypt data, manage traffic, or perform vulnerability scans.
What is the purpose of continuous security monitoring?
Continuous security monitoring involves the ongoing process of analyzing security threats to detect malicious activity in real-time. The goal is to proactively detect threats, enabling rapid investigation and response. Updating software, ensuring compliance, and backing up data are important, but they are not the main purpose of continuous monitoring.